Finally! It feels like ages since we last did a release. I hope you waited for us and didn’t throw your PSP away in exchange for a XBox in the meantime

The new version of Wagic is here, and the amount of new stuff that ships with it is simply awesome. I’m glad to say that some talented designers and coders recently joined our small team, dramatically improving a game that was already said to be competing with commercial software in terms of quality and replay value.

So my thanks for this release go to Jhotun (art), Jeck (art and code), Psyringe (decks), Daddy32 (code), and of course the people who have been working on Wagic with me for months now: abrasax, leungclj, Dr.Solomat, and J.

Thanks as well to the people who provide new contents on the forum everyday. You can already grab extra cards in various flavors (Naruto, Final Fantasy,…), and themes to customize your experience.

What is Wagic?

Wagic is an heroic fantasy card game in which you battle against the computer. It is available for the Sony PSP, Windows, and Linux. In Wagic, you create a deck of cards which symbolizes your army, and fight against the AI. As you win games, you earn credits and unlock cards that you can buy in the shop. With better cards, you improve your deck (or create new ones) to beat more AI opponents and unlock other game modes. Wagic is free and open source. It is currently available in English, French, Italian, German, and Spanish.

What’s new?

Ok, so what’s new with this release? Well, the changes that you will most likely see at first are graphical. With the help from professional designers and developers, we got new graphics and a new user interface. Lots of customization features, as well as new cards have been added. Get ready to get some Zendikar action

Full changelog after the cheesy promotion video

Changelog

• Around 500 new cards. Wagic now allows you to play with more than 3500 cards out of the box. Wagic allows you to play with cards from Zendikar, Magic 2010, and 30 other expansions. This is not counting all the extra content you can get from the forum at http://wololo.net/forum: Naruto, Final Fantasy, and lots of other user-created sets.
• New shop GUI, with original graphics(see the cool screenshots above). Many thanks to Jhotun for the background image!
• New user interface inGame. It is highly customizable, check the options. Wagic now has some smooth animations, you’ll love the new manapool!
• Deck Statistics in the deck editor now show you how well your deck performs against the AI, and various useful information (average mana cost, etc…)
• New Profile and Theme systems to customize your play environment. Check the Jade Theme! Also come to http://wololo.net/forum to get new themes!
• Various card bug fixes
• Deck Editor improved, you can now rename your decks directly in Wagic without an external text editor
• Improved card graphics (Thanks J and Jeck)
• Parser: new keywords (@damaged, @tapped, deathtouch, initimidate, “other” keyword for targets, “this” keyword for targets, kicker, “X” as part of abilities cost, shuffle
• New caching mechanism, no need for you to setup the “size” of your cache anymore, the cache automatically uses as much Ram as possible.
• New cool Game manual, check it out, it teaches you how to play Wagic!
• Small AI improvements
• More than 20 new AI Decks (Thanks Psyringe,Niegen,Abrasax and everyone who contributed)
• Added an exception plugin to prevent the PSP from crashing in case of a bug. Instead, you’ll get a blue screen. (Thanks to Sakya at ps2dev)

Known issues

• Purple Screen of Despair: If the game has a weird purple look and feel at startup, you just got the Purple Screen of Despair. But don’t trash your PSP yet, there’s hope. We are looking for solutions to this problem, and a few techniques can be found here
• Blue Screen of Death: We recently added an exception handler to avoid your PSP from badly freezing. If you get a blue screen of death, it’s a bad thing because it means you found a bug in Wagic, but it’s a good thing because your PSP didn’t completely crash (so you don’t have to reboot it, and PSP3000 users know how important it is to not reboot their PSPs)
• Check the list of bugs before you report an issue, thanks

Pfew… it’s always hard to summarize two months of work in a few lines… We’ve all given our best to bring you an update to one of the best homebrews out there, and we hope you’ll enjoy it.

Thanks for your support!

If you think this game deserves your love, please consider making a donation, it’ll help me buy a present for my wife (who deserves it for supporting me working on Wagic 24/7). Wagic has much more replay value than most “minis” available on the PSN, so think about it

If you want to support this game, but think homebrews and money shouldn’t be mixed, that’s perfectly fine too: please promote the game on the forums you know, create cards and themes to make the game even better, or submit bug reports. If you’re a C++ Developer, we are always looking for more good devs, so don’t be shy and join us!

Download

On the Download page, as usual
The package contains the Windows, Linux and PSP versions, enjoy!

Seriously though, what’s your favorite card in Magic?

Well, unfortunately it is actually hard to see what Wagic looked like in 2008, as I was asked to remove all pictures that contained copyrighted contents (and, at that time, there was no “picture less” mode for Wagic). But it’s still fun for me to read the old blog posts:

In October 2008, versions 0.1.0 and 0.2.1 were released. Version 0.1.0 introduced the test suite, and the AI became able to use a few simple spells. At that time, the game had a bit less than 500 cards. We have more than 3000 today, but I was already impressed, as my initial goal (2 years ago) was to handle around 250 cards and then stop working on the project But well, Wagic has become a huge part of my life in the last 2 years (will I admit I spend 99% of my free time working on this game?), and there’s no plan to stop adding cards!

October 2008 was also the release date of the PSP3000, and there was no hope of hacking it at that time. Things change

We also opened the forum in october 2008. For those who still don’t know, it’s a great place to get extra content for Wagic, as well as discuss future improvements to the game, and random PSP related stuff.

It’s quite fun to own a blog and be able to go back in time and read again the things I wrote a year ago By the way MTGRares discusses the origins of his own program MTGForge in a recent blog post.

Oh, and if you ask, we are a few weeks away from the next release of Wagic, it shouldn’t take long! (*crosses fingers*). and yes, Wagic 0.9 will have Rampaging Baloths! Actually, I believe Rampaging Baloths already works on Wagic 0.8.1, if you’re interested, check the Zendikar thread on the forum…

When they don’t lead to exploits, they lead to bug fixes, which is good too, so understand this: crashing your PSP is good for Mankind.

Recently I got a BMP file from Jeerum (you can get the file on his forum). This file crashes the PSP, and the crash looks like it could have been exploitable, except it isn’t. Rather, this example is a hint that exploiting the PSP using BMP files is probably never going to happen.

An interesting crash

Here’s the video. I’m running the XMB through PSPLink, and if you don’t know how to do this you should consider reading my blog more often

I’m doing the usual: going to the “images” section (note that the image doesn’t crash the XMB in thumbnail mode, which is quite rare), attempt to display the image, and the PSP crashes.

Now what’s interesting in this crash? Well as you see, the crash occurs when the PSP tries to Store a Word (MIPS command sw) at an address referenced by register $a1 (sw $t1 8($a1) means: store the value $t1 at $a1+8). And why is it interesting you ask? Well, $a1 is equal to FF414141, and I’m quite convinced that these three “41″ come from our BMP file. a value such as FF414141 doesn’t feel “natural” at all, (and that feeling is something you -quickly- get with experience). A quick look at the inside of the BMP file shows us that yes, there’s a bunch of 41′s that were put in there, and it’s quite certain that it’s where the ones we see in the crash come from.

Now what? Well since we can change these 41′s into what we want, it means we can write the value of t1 pretty much wherever we want in memory. It’s not an exploit yet, but it’s extremely promising.

Not so fast…

But wait… what’s that “FF” doing here?

Well that’s the main problem.

To really see where this FF414141 comes from, we can dump the entire contents of the PSP Ram, and check where this comes from.

To dump the Ram to a file, we type the command:

savemem 0×08800000 20000000000 memdump1.bin

the 0×08800000 is the start of what we want to dump. 0×08800000 is not an address I chose randomly, it’s just the address of the beginning of the Ram. The second value is the amount of bytes we want to save. As I’m too lazy to calculate, I just enter an insanely high value to be sure all the Ram will be dumped to a file. PSPLink is clever and will stop when it reaches the end. memdump1.bin is the name of the file I want to save.

We can then open this file with an Hex Editor.

In this screenshot, the addresses I show you are random (because I already investigated this crash a few months ago and I knew what I was looking for), but in reality what you have to do, rather than randomly browsing the memdump, is to understand where the contents of $a1 come from. This is done by disassembling the code around the address of the crash, and understand (through MIPS assembly) where in Ram it read its content. To disassemble code, use the command disasm. I give a few hints on how to do that in my previous articles.

Ok, so the screenshot shows us a bunch of FF414141 in Ram, which is where our value came from. It’s pretty obvious they come from the 41′s we saw in the BMP. These are the contents of the BMP, reinterpreted by the PSP to display pixels on the screen, and this is what we have to deal with if we want to create an exploit.

But wait, we didn’t put thoses “FF”‘s here, only “41″. So where do they come from?

BMP files have no alpha layer

Well to understand this you need some basics in Images on computers. Long story short, pixels on the PSP are represented with 4 bytes, ARGB (alpha, Red, Green, blue). alpha is the transparency of the pixel. Although file formats such as PNG or Tiff have an alpha layer, BMP files don’t. The PSP therefore inserts a “fake” alpha value of “FF” (which means: no transparency) for each pixel.

We’re screwed: whatever we put in the BMP file, every 4 bytes we will get a stupid “FF” inserted as a result in the PSP Ram…

Now it doesn’t mean exploits through BMP files are impossible, but it makes them difficult. Of course, the “original” series of 41′s is maybe stored somewhere else in the Ram, unchanged, but that’s unfortunately not what we deal with in this crash, which makes it useless (if we can’t control all 4 bytes of an address, we’re pretty much screwed).

I don’t think Sony planned this as a security against hackers (they have lots of other tricks against hackers, but this one is probably just the “natural” way of displaying an image with no alpha layer), but it’s still a pretty good security

The conclusion is that if you are looking for vulnerabilities with images on the PSP, you shouldn’t use image formats that have no transparency layer. Forget about BMPs and Gif, and try to focus on PNGs and Tiffs. It worked in the past

Let me explain: if an exploit is found (and revealed) in a Game on the PSP, Sony will simply remove the game temporarily from the PSN Store, and it will be available again only if the game’s developers fix the issue. So the only people who will be able to benefit the exploit will be those who downloaded the game from the PSN Store before the exploit was made public. (unless you didn’t know, the PSPGo has no UMD drive, and therefore all games for this machine must be bought on the PSN)

Yep, that’s not cool, and it explains why Freeplay doesn’t want to make the recent hack of the PSP Go public (the exploit is still useful for hackers as it allows to run unsigned code on the PSPGo, and therefore analyze its firmware more precisely). It also explains why we should now be looking for vulnerabilities in the PSP Firmware (such as the laughman tiff exploit that led to chickHEN a few months ago) rather than games.

In this article I will explain how to monitor the PSP Menu with PSPLink. If you haven’t read my previous post on savegames exploits, I suggest you do it, as  it is a nice introduction to PSP exploits. Disclaimer: I’m not the best PSPLink user in the world, so this article might be incomplete on some parts.

Setup

Imagine you have a file that crashes your PSP. It can be a video file, an mp3, an image, etc… (I will explain later how you can find or create these files). How would you tell if it can become an exploit or not? Well, as usual, the answer is clear: PSPLink.

PSPLink is a very usueful tool to analyze the Ram of the PSP. If you don’t have it yet, google for it. I personally have the version included with the minimalist PSPSDK.

PSPLink has two parts of interest for this: one that goes on the PSP (basically, an EBOOT, as most homebrews), and two executables that run on the PC (they will display the information sent by the PSP to the PC).

Once you have installed PSPLink on your PSP and plugged your PSP to your computer with a USB cable, open 2 command-line windows, in which you will run respectively usbhostfs_pc and pspsh.

When this is done, you can run the PSPLink EBOOT on your PSP. If everything goes well, pspsh on your computer will display “host0:/” and usbhostfs will say “Connected to Device”. It should look like this:

If you need more information on PSPLink, google for it.

Running the XMB/VSH

Now that’s the interesting part. If you’re a developer, you might know how to run your homebrews’ prx files from there. But how can you access the PSP Menu? Well that’s actually very easy, as you only need to type the two following commands in pspsh:

reset vsh

flash0:/vsh/module/vshmain.prx

And that’s it! Let me tell you, it is way easier than doing it for savegames, as no plugins are required.

Test your crash

Then what? Well, you do whatever is needed to reproduce your crash. In my case, I have an mp3 file that crashes the PSP, so on my PSP I go to the music menu, and try to play the files.

When the crash occurs, pspsh should display the current state of the registers, and lots of useful information.

MIPS…

From here, what you need is MIPS assembly knowledge, and lots of patience. But I can’t teach you that . For the basics, you can still read my article on Savegames, as we are looking for the exact same thing: a way to overwrite $ra

By the way, you need a hacked PSP to run PSPLink, so don’t try this on Official Firmwares.

So the PSP Go got hacked, but Freeplay mentions he will not release the exploit. It makes sense, as the game will be removed/patched from the PSN as soon as the exploit is made public, making the exploit useless. Just use this for hope

By the way, this means I was right from the start

Edit: The google ads make me laugh, suggesting “anti hackers” websites when I post stuff about PSP hacking

Rules of the contest are in French, so I guess non French speakers will not be interested, but the more the merrier

Once you win it, don’t forget to send it to me

source